Frequently asked questions

Get help with common queries


Can I have more than three redirect URIs for my app?

If your scenario requires more than three redirect URIs (e.g. users need to be redirected back to a number of different subdomains) then you can create a central redirect URI and use the state parameter to pass the values your app needs to produce the desired user experience.

  • Create a central redirect UI for your app to complete the authorization step. Send application specific parameters (e.g. the subdomain) in the state parameter. Take care to also still guard against CSRF.

  • When the user is redirected back to your central redirect URI the state parameter is sent back to your app.

  • Your app can then use the value in the state parameter to determine which URL to send the user to. Make sure you validate for CSRF protection.

Note: This approach could be compromised by the open redirector threat described in RFC 6819. Be careful to protect these parameters by encrypting the state or verifying them by some other means.